--- a/check-cert.pl Mon Sep 14 16:18:34 2009 +0200
+++ b/check-cert.pl Mon Sep 14 17:18:46 2009 +0200
@@ -10,13 +10,19 @@
use IPC::Open2;
use Date::Manip;
use POSIX ":sys_wait_h";
+use feature qw(:5.10);
use lib "/usr/lib/nagios/plugins";
use utils qw (%ERRORS &print_revision &support);
my $ME = basename $0;
+my $USAGE = <<EOF;
+Usage: $ME [-b <binary>] [-i init] [-d <path>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-e <file,file,file,...>]
+ $ME [-h | --help]
+ $ME [-V | --version]
+EOF
my $VERSION = "0.4";
my $hash_file = "/var/tmp/" . basename($0) . ".known.db";
-my %known;
+my (%known, %excluded);
my %certs = ();
my $no_print =
"no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
@@ -24,8 +30,7 @@
"openssl", "x509", "-noout", "-text",
"-certopt", "$no_print", "-subject", "-enddate"
);
-my @cmd_pkcs12 =
- ("openssl", "pkcs12", "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:");
+my @cmd_pkcs12 = qw(openssl pkcs12 -clcerts -nokeys -nomacver -passin pass:);
my @cmd_pipe = (
"openssl", "x509", "-noout", "-text",
"-certopt", $no_print, "-subject", "-enddate"
@@ -49,6 +54,7 @@
sub process_file();
sub print_help();
sub print_usage();
+sub get_id(;$);
MAIN: {
@@ -74,10 +80,14 @@
# initiate file-data hash
%known = () if $opt_init;
+ @excluded{@opt_exclude} = ();
find({ wanted => \&process_file }, $opt_directory);
+ exit;
+
# calculate the time
+ # $w_time = time() + 4 * 7 * 86400;
$w_time = DateCalc("today", "+ $opt_warning");
$c_time = DateCalc("today", "+ $opt_critical");
@@ -138,32 +148,32 @@
exit;
}
+sub get_id(;$) { return join " ", (@_ ? stat($_[0]) : stat(_))[7, 9] }
+
sub process_file() {
+
+ return if exists $excluded{$File::Find::name};
return if not -f;
- my $id = join " ", (stat)[7, 9];
+ my $id = get_id();
my $is_certificate = 0;
my $in_cert = 0;
my @cert = ();
my ($rc, $temp, $signature, $subject, $enddate);
# excluded files
- @opt_exclude = split(/,/, join(',', @opt_exclude)) if @opt_exclude;
- foreach my $exclude_file (@opt_exclude) {
- if ($exclude_file eq $File::Find::name) {
- $known{$File::Find::name} = $id;
- return;
- }
- }
+ # @opt_exclude = split(/,/, join(',', @opt_exclude)) if @opt_exclude;
return
if exists $known{$File::Find::name}
and $known{$File::Find::name} eq $id;
+ #say $File::Find::name;
# checking for pkcs12 certificates
+
+ if (0) {
my @cmd_pkcs12_current = @cmd_pkcs12;
push @cmd_pkcs12_current, "-in", $File::Find::name, "2>/dev/null";
-
my $cid = open(FILE, "@cmd_pkcs12_current |") || die "Can't fork: $!";
while (<FILE>) {
@@ -196,36 +206,29 @@
$known{$File::Find::name} = $id if not($is_certificate);
return;
}
-
- open(FILE, $File::Find::name) or die "can't open $_: $!";
-
- while (<FILE>) {
+}
- # cheking for x509 certificates
- if ($in_cert) {
- push @cert, $_;
- if (/^-----END CERTIFICATE-----$/) {
- $in_cert = 0;
+ open(FILE, $_) or die "can't open $File::Find::name: $!";
+ my $file = join "", <FILE>;
+ close(FILE);
+
+ while ($file =~ /^(-+BEGIN CERTIFICATE.*?-+END CERTIFICATE-+)$/msg) {
- # open filehandles (for read and write)
- local (*READ, *WRITE);
- my $cid = open2(\*READ, \*WRITE, @cmd_x509)
- or die "Can' fork: $!\n";
- print WRITE @cert;
- close(WRITE);
- @cert = ();
+ # open filehandles (for read and write)
+ local (*READ, *WRITE);
+ my $cid = open2(\*READ, \*WRITE, @cmd_x509)
+ or die "Can' fork: $!\n";
+ print WRITE $1;
+ close(WRITE);
- while (<READ>) {
- /Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
- /^subject=\s+(.*)$/ and $subject = $1;
- /^notAfter=(.*)\s+$/ and $enddate = $1;
- }
- close(READ);
+ while (<READ>) {
+ /Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
+ /^subject=\s+(.*)$/ and $subject = $1;
+ /^notAfter=(.*)\s+$/ and $enddate = $1;
+ }
+ close(READ);
- # waiting for child processes
- do {
- $cid = waitpid(-1, WNOHANG);
- } while $cid > 0;
+ waitpid($cid, 0) < 0 and die "no child with pid $cid\n";
if ($opt_debug) {
print "-----\n";
@@ -239,41 +242,30 @@
@{ $certs{$File::Find::name} },
($subject, $enddate, $signature)
);
- $is_certificate = 1;
- next;
- }
+
+ $is_certificate = 1;
}
- if (/^-----BEGIN CERTIFICATE-----$/) {
- $in_cert = 1;
- push @cert, $_;
- next;
- }
- }
-
$known{$File::Find::name} = $id if not($is_certificate);
- close(FILE);
}
-sub print_usage() {
- print "Usage:\n";
- print
-" $ME [-b <binary>] [-i init] [-d <path>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-e <file,file,file,...>]\n";
- print " $ME [-h | --help]\n";
- print " $ME [-V | --version]\n";
-}
+
+sub print_usage() { print $USAGE };
sub print_help() {
print_revision($ME, $VERSION);
- print "Copyright (c) 2009 Christian Arnold\n\n";
- print "This plugin checks the expire date for openssl certificates.\n\n";
- print_usage();
- print "\n";
- print " -b, --binary <binary>\n";
- print " Path of openssl binary (default: /usr/bin/openssl)\n";
- print " -d, --directory <path>\n";
- print
-" Absolute directory path in which will be recursively search for certificate files (default: /etc).\n";
+print <<EOF;
+Copyright (c) 2009 Christian Arnold
+
+This plugin checks the expire date for openssl certificates.
+
+$USAGE
+ -b, --binary <binary>
+ Path of openssl binary (default: /usr/bin/openssl)
+ -d, --directory <path>
+EOF
+
+print "Absolute directory path in which will be recursively search for certificate files (default: /etc).\n";
print " -w, --warning <time>\n";
print
" Certificat should not be more than this time older (default: 1month).\n";